Summit 7 Blogs

The Tools to Take on NIST 800-171's Top 10 Most Failed Objectives

Written by Caleb Leidy | Oct 31, 2024 4:14:07 PM

Anyone facing the regulations associated with handling Controlled Unclassified Information (CUI) in support of Department of Defense contracts knows that it can be difficult to find a starting place. Even when working with Contract Officers, simply identifying the CUI associated with your contracts can become a daunting task. The advantage that contractors have on their side is that the requirements are spelled out within the DFARS 252.204-7012 clause written into their contracts.  

The most daunting task in DFARS 7012 is implementing the security requirements outlined in the NIST SP 800-171. Yet, with all the information available about what needs to be done, getting it done can still be quite overwhelming.

In this blog we’ll cover:  

  • Where should contractors start when implementing NIST SP 800-171 for Controlled Unclassified Information (CUI)? 

  • What are the top 10 commonly failed requirements in cybersecurity assessments? 

  • What tools and resources, like Microsoft services, can help contractors meet these cybersecurity requirements? 

  • Why is senior leadership buy-in essential for successfully achieving compliance and security? 

Where should contractors start when implementing NIST 800-171 for CUI? 

The Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC – and yes, that does win the award for longest acronym in our industry) in 2023 released a list of the Top 10 Other than Satisfied (OTS) requirements that resulted from the assessments of more than 100 defense contractors. When this list was released, a great number of organizations within the industry believed that addressing the list was a great place to start; however, this list resulted in the highest number of failures throughout those assessments for a reason. On the surface, “just be sure to use FIPS-validated encryption” and, “You should implement multi-factor authentication for all users as a standard practice,” seem like nonchalant statements that would be easy to do. However, those attempting to execute on those statements know this is not the case. 

What are the top 10 commonly failed requirements in cybersecurity assessments? 

So, what are the requirements that have become the bane of the Defense Industrial Base’s (DIB’s) existence? According to a presentation by DCMA in 2023, the following are the troublesome requirements: 

Overall, these requirements are basic in concept. So why all the trouble? Most organizations seeking compliance make one of the following mistakes: 

  1. Not understanding the requirement.
  2. Not implementing any solution to address the requirement.
  3. Not implementing a solution that fully addresses the scope of the organization’s assets being assessed.  

But don’t worry - there are solutions out there and resources that can help your organization achieve compliance with these requirements and many more within the NIST SP 800-171 framework. 

What tools and resources can help contractors meet these cybersecurity requirements? 

1. The Microsoft Product Placemat for CMMC 2.0 

The first resource to consider is the Microsoft Product Placemat for CMMC 2.0, which outlines the available solutions from Microsoft that will map to these requirements and inform the user how to use the available tools to support meeting the requirements. This of course is not the only route to take to deal with these requirements, but there are a lot of tools available with Microsoft to enable the implementation of effective security controls that keep an organization compliant with CMMC requirements. 

How about some examples?

Let’s examine the top two requirements that are failed or partially failed more than any others of the 110 overall requirements: FIPS-validated Cryptography and Multifactor Authentication. 

Examining the table above from the Product Placemat, we can see that Microsoft solutions include primary services that help organizations with 3.5.3 and 3.13.11 (our top 2). When we examine the FIPS-validated Cryptography requirement, we can follow the path to the Cryptographic Module Validation Program (CMVP) Database to see that Microsoft has this requirement covered. Similarly, Microsoft provides Multifactor Authentication solutions via primary services as well as integration with other MFA providers. In fact, Microsoft provides a litany of services and tools that can be used to help organizations implement controls for most requirements in the CMMC Framework. 

2. Configuring Solutions for CMMC 

As helpful as it is to have a set standard of requirements given to us by regulation and multiple sets of tools and services available to implement effective solutions, there is still one piece missing: action. Someone must properly enable and configure these services in order for them to work in a compliant way:  

  • If we follow the CMVP Database example to see the plethora of FIPS-validated certifications that are carried under the Microsoft name, we will discover that these modules being validated is not enough in and of itself to satisfy the requirement listed in NIST SP 800-171 as 3.13.11. There are still configurations that need to be in place to ensure these services are operating in “FIPS Mode”. 
  • In the case of MFA (3.5.3), someone needs to ensure technical policies are in place to force multifactor authentication and that all the appropriate users are added to the necessary groups to enforce these settings.

3. Finding a Managed Service Provider (MSP) 

Ensuring everything is properly configured and maintained is where a Managed Service Provider (MSP) comes into play. Leveraging an MSP can be particularly effective if the MSP is an expert in using the same tools and services the organization intends to use to implement controls that address CMMC requirements. Summit 7’s MSP is an excellent example of this powerful combination. 


3. The Need for a Shared Responsibility Matrix (SRM) 

If the requirements are known, the tools and services are known, and all of this is backed by experts utilizing those tools and services, it’s easy to see how addressing these top ten problem children becomes a little less chaotic. We can see further examples of how this plays out if we match the requirements, the tools, and the Summit 7 Shared Responsibility Matrix (SRM) 

For the two biggest problem requirements for all DIB organizations - 3.5.3 and 3.13.11 - we have to consider WHY FIPS-validated Cryptography and MFA are so difficult to deal with. The reality is that they aren’t all that difficult, but there are a couple of things missing that would make a world of difference for companies attempting to properly address them.  

4. Satisfying the FIPS/MFA Assessment Objectives Boils Down to Scope and Operational Efficiency 

Each of these requirements will often be a scope issue. Assessors will be looking to see: have they been applied to the entirety of the organization’s in-scope systems and users? If not, these assessment objectives have not been satisfied.  

For FIPS-validated cryptography, scope will also intersect with operational efficiency. Understanding that FIPS-validated cryptography needs to be employed in every case that it is being used as the protection mechanism for CUI is a simple concept, but finding technologies that have been certified under the CMVP is a challenge. Further, finding technologies that seamlessly integrate FIPS-validated modules that allow operations to continue effectively only adds to that challenge.

MFA implementation is less of an issue as far as technology is concerned. There are a lot of providers that offer solutions that work to meet the requirements and provide appropriate protections. However, ensuring that all applicable users are required to utilize MFA for access to the information system will cause quite a stir with organizations that are not used to it. Further, appropriately applying the technical policies to implement that enforcement often causes a headache when ensuring the full scope is covered. 

Our Formula for CMMC Success

If you want confidence when facing CMMC, leverage this winning formula:  

   Standard Requirements   
+ Tools and Services  
+ Experts  
+ Leadership Buy-in

------------------------------ 
= Compliance and Security 

If we compare the requirements against both the Microsoft Product Placemat and the Summit 7 Shared Responsibility Matrix, we can see that a great number of the requirements and Assessment Objectives (including these pesky Top 10 OTS) can be handled using the formula.  

And yet, it is critical to understand that service providers CAN NOT assume responsibility for requirements that inherently rely on organization authorities to make decisions and authorize actions. Remember, the responsibility is shared. 

Outside of the Top 2 most failed requirements, the remainder of the Top 10 failed objectives rely a lot on decisions and actions that the internal organization are responsible for. That's why leadership buy-in is so important. 

These include items such as:  

  • Determining a review process for determining whether the list of audited events are adequate to support investigations; 
  • Determining an acceptable baseline for the full scope of technologies in the environment, and; 
  • Running a risk assessment program that supports organizational objectives based purely on the risk appetite of the organization.  

Only authorities within the organization can make these determinations. This is true of requirements outside of the Top 10 as well, but this is a very likely suspect for why these requirements have landed within the Top 10 to begin with.  

Let’s look at another example from the top 10: 3.14.1 to highlight the significance of leadership buy-in:

On the surface, to identify, report, and correct information and information system flaws in a timely manner seems straight forward; however, as with all things CMMC, this is not a prescriptive requirement. This means an assessor will need to use the Assessment Objectives to understand what “timely manner” means to the organization being assessed. Service providers such as Microsoft and Summit 7 can specify times that they feel are best practice or that they believe are “good”, but these service providers have no authority within their clients’ organizations to specify those times on behalf of the client. In the Summit 7 Shared Responsibility Matrix, we can see that these objectives for specifying times are marked as a shared responsibility. This is because Summit 7 can guide the client on recommended times to specify, but only an authority within the organization can officially declare these are the times they are choosing. 

Following along the other Assessment Objectives, we see that Summit 7 takes responsibility for carrying out the technical implementation and actions to ensure flaws are identified, reported, and corrected within the specified time frame… uh oh!, let’s call that back up: “within the specified time frame”. The appearance of this phrase in all 3 Assessment Objectives needing implementation evidence shows us that no technical implementation can solve this requirement without specified time frames. Even if flaws were being identified, reported, and corrected within one hour, there is no official specification from the OSC that declares a one-hour time frame as “good enough” for their organization. In this case, if an organizational official has not properly specified and documented times to identify, report, and correct flaws, all six Objectives would be marked NOT MET during an assessment, even if the technical implementation is “good” by industry standards. 

The lack of leadership buy-in leads to an over-reliance on service providers to do what only the leadership can do. That's why leadership buy-in is the x-factor of our formula for CMMC Success.

As well as the requirements may be understood, as well as the tools and services may address the technical aspects, and even if the top experts in the industry are supporting the tools and services, it is impossible to succeed in meeting these requirements if the proper authorizations, decisions, and actions are not addressed by the leadership of the organization who are ultimately accountable and responsible for upholding the organization’s end of the contracts which drive the requirements.
 

Get Leadership Buy-in with the CMMC Pathfinder Tool 

If you need help getting leadership buy-in today, use our CMMC Pathfinder Tool. In 5 minutes or less, find out where you are on your compliance journey, what next steps we recommend, and have a plan for CMMC to hand your leadership today. Check out the tool here to get started.